1. Field of the Invention
The present invention relates generally to computer security, and more particularly but not exclusively to methods and apparatus for protecting computers against web threats.
2. Description of the Background Art
Web threats include malicious codes (e.g., computer viruses), fraudulent schemes (e.g., phishing), coordinated attacks against particular computers, exploits, and other threats that use the Internet to perpetrate a cyber crime or malicious action. A popular technique for protecting computers against web threats includes maintaining a reputation database of known malicious web servers. The reputation database may reference a malicious web server by its uniform resource locator (URL). A computer may check the URL of a web server against the reputation database to determine the reputation of the web server. Communications to web servers having bad reputations may be blocked to prevent exposure to web threats.
Unfortunately, web threats have become more sophisticated to get around URL filtering and other web threat protection techniques. Some web threats are targeted to specific users. For example, a web threat may have different content depending on the user or be served from different URL's depending on the user's location. As a particular example, a cyber criminal may deliver malicious content via an advertisement network. In that case, it is difficult to detect the malicious content because an advertisement provider may randomly choose different content by geographic location or user profile.